DOCSLIB.ORG

The European Union General Data Protection Regulation: What It Is and What It Means

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The European Union General Data Protection Regulation: What It Is and What It Means UvA-DARE (Digital Academic Repository) The European Union General Data Protection Regulation: What It Is And What It Means Hoofnagle, C.J.; van der Sloot, B.; Zuiderveen Borgesius, F. DOI 10.1080/13600834.2019.1573501 10.2139/ssrn.3254511 Publication date 2019 Document Version Final published version Published in Information & Communications Technology Law License CC BY Link to publication Citation for published version (APA): Hoofnagle, C. J., van der Sloot, B., & Zuiderveen Borgesius, F. (2019). The European Union General Data Protection Regulation: What It Is And What It Means. Information & Communications Technology Law, 28(1), 65-98. https://doi.org/10.1080/13600834.2019.1573501, https://doi.org/10.2139/ssrn.3254511 General rights It is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), other than for strictly personal, individual use, unless the work is under an open content license (like Creative Commons). Disclaimer/Complaints regulations If you believe that digital publication of certain material infringes any of your rights or (privacy) interests, please let the Library know, stating your reasons. In case of a legitimate complaint, the Library will make the material inaccessible and/or remove it from the website. Please Ask the Library: https://uba.uva.nl/en/contact, or a letter to: Library of the University of Amsterdam, Secretariat, Singel 425, 1012 WP Amsterdam, The Netherlands. You UvA-DAREwill be contacted is a service as provided soon as by possible.the library of the University of Amsterdam (https://dare.uva.nl) Download date:23 Sep 2021 INFORMATION & COMMUNICATIONS TECHNOLOGY LAW 2019, VOL. 28, NO. 1, 65–98 https://doi.org/10.1080/13600834.2019.1573501 The European Union general data protection regulation: what it is and what it means* Chris Jay Hoofnaglea, Bart van der Slootb and Frederik Zuiderveen Borgesiusc,d aSchools of Information and of Law, University of California, Berkeley, CA, USA; bTilburg Institute for Law, Technology, and Society (TILT), Tilburg Law School (NL), Tilburg, Netherlands; cInstitute for Computing and Information Sciences (iCIS), Radboud University (NL), Nijmegen, Netherlands; dInstitute for Information Law (IViR), University of Amsterdam, Amsterdam, Netherlands ABSTRACT KEYWORDS This paper introduces the strategic approach to regulating personal General Data Protection data and the normative foundations of the European Union’s Regulation; GDPR; privacy; General Data Protection Regulation (‘GDPR’). We explain the data protection; personal genesis of the GDPR, which is best understood as an extension data; European Union and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information- intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches. 1. Introduction ‘Personal data is the new oil of the internet and the new currency of the digital world.’1 Suppose one bought into the metaphor of data as the new oil. One would want this new oil handled carefully. From extraction to disposal, all of its treatments would be planned carefully and executed by trained experts. One would want its extraction CONTACT Frederik Zuiderveen Borgesius [email protected] *All authors contributed equally to the paper. 1M Kuneva, ‘Keynote Speech SPEECH/09/156’ (Roundtable on Online Data Collection, Targeting and Profiling March 31, 2009) <http://europa.eu/rapid/press-release_SPEECH-09-156_en.htm>. All URLs in the footnotes were last accessed on 16 January 2019. © 2019 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/ licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. 66 C.J.HOOFNAGLEETAL. governed by a permit process, its uses managed to ensure it was not wasted, its storage secure, its disposal environmentally sound. One would want its externalities internalized and stakeholder interests considered. The European Union’s General Data Protection Regulation (‘GDPR’)2 faithfully executes the implications of the oil metaphor, despite the metaphor’s poor fit. The GDPR presumes that personal data are important, so much so that every aspect of interacting with data requires careful planning. In this paper, we explain the GDPR approach to lawyers and academics, whether they are privacy and EU law specialists or not. We explain the GDPR’s normative roots in mul- tiple constitutional documents, detail its most important provisions, and tie these pro- visions to the short and medium-term strategic goals of the GDPR. We also highlight differences and similarities when comparing the GDPR to U.S. privacy law. The GDPR has been law since 2016, but did not enter most lawyers’ attention until 2018, when its provisions became enforceable.3 In fact, much of the GDPR’s requirements were reflected in an earlier law – the Data Protection Directive – which had poor enforcement and compliance. The GDPR awakened lawyers and the business community because it calls for minimum 8-figure fines and creates both internal and external mechanisms to bolster enforcement efforts. As a result, the GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a complex and protective regu- latory regime. That said, the ideas contained within the GDPR are not entirely European, nor new. The GDPR’s protections can be found – albeit in weaker, less prescriptive forms – in U.S. privacy laws and in Federal Trade Commission settlements with companies.4 To get to the GDPR, some level-setting is in order. First, one should not underestimate the commitment to data protection in Europe. The GDPR implements constitutional com- mitments, ones that are deep and occupy a central place in the self-conception of a new, information age political body. As one of the drafters of the Charter of Fundamental Rights of the European Union, Stefano Rodotà, explained, The fundamental right to personal data protection should be considered a promise just like the one made by the king to his knights in 1215, in the Magna Charta, that they would not be imprisoned or tortured illegally –‘nor will go upon him nor send upon him.’ This promise, the habeas corpus, should be renewed and shifted from the physical body to the electronic body. The inviolability of the person must be reconfirmed and reinforced in the electronic dimension, according to the new attention paid to the respect for the human body (…).5 These commitments germinated long before the rise of contemporary Silicon Valley data companies but have only intensified as such companies have gained dominance. 2Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 <http://ec.europa.eu/justice/data-protection/reform/ files/regulation_oj_en.pdf> (hereafter, ‘GDPR’). 3GDPR art 99(2): ‘It shall apply from 25 May 2018.’ 4U.S. credit reporting laws have use limitations; communications laws regulate collection, use and sale of user data; the videotape privacy protection act establishes deletion requirements; credit reporting and cable and satellite providers must provide data subject access; and so on. 5S Rodotà, ‘Data Protection as Fundamental Human Right,’ in S Gutwirth, Y Poullet, P De Hert, C de Terwangne, and S Nouwt (eds), Reinventing Data Protection? (Springer, 2009). INFORMATION & COMMUNICATIONS TECHNOLOGY LAW 67 To make the electronic body inviolable, the GDPR covers an immense landscape of potential informational problems. The GDPR attempts to answer information questions ex ante. Even remote, edge-case hypotheticals about data can be answered in the GDPR framework, with varying degrees of satisfaction. Second, laws such as the EU’s GDPR differ in construction from most U.S. regulatory text. The GDPR’s text is vague in some places and speaks at the level of aspirational prin- ciple. Parts of the GDPR could be characterized as ‘principles-based regulation’.6 The GDPR’s provisions are supplemented with even more indeterminate ‘recitals.’7 Such text flummoxes U.S. lawyers because of its lack of specificity. Third, the difference in construction leads to a practical consequence: whereas in the U.S., interactions with regulators typically mean that enforcement is afoot, in the E.U. context, colloquy with regulators is a routine rite in the compliance process. U.S. lawyers have fretted about perfect compliance, but in reality, European regulators rarely expect such compliance, nor will they impose 8-figure liability for small imperfections. As we explain below, massive liability will also be keyed to serious wrongdoing rather than accident or simple noncompliance. This paper does not aim to give detailed analyses of each GDPR provision. Rather, we focus on big themes, and often provide rough summaries of provisions, leaving out details that could be important in legal practice.
Load more

Recommended publications
  • The Right to Be Forgotten in the Light of the Consent of the Data Subject
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Open Repository and Bibliography - Luxembourg computer law & security review 32 (2016) 218–237 Available online at www.sciencedirect.com ScienceDirect www.compseconline.com/publications/prodclaw.htm The right to be forgotten in the light of the consent of the data subject Cesare Bartolini *, Lawrence Siry * University of Luxembourg, Luxembourg ABSTRACT Keywords: Recently, the Court of Justice of the European Union issued decision C-131/12, which was Data protection considered a major breakthrough in Internet data protection. The general public wel- General data protection reform comed this decision as an actualization of the controversial “right to be forgotten”, which Consent was introduced in the initial draft for a new regulation on data protection and repeatedly amended, due to objections by various Member States and major companies involved in massive processing of personal data. This paper attempts to delve into the content of that decision and examine if it indeed involves the right to be forgotten, if such a right exists at all, and to what extent it can be stated and enforced. © 2016 Cesare Bartoli & Lawrence Siry. Published by Elsevier Ltd. All rights reserved. forgotten is not mentioned in the current DPD provisions, yet 1. Introduction it has been statutorily introduced in the proposed General Data Protection Regulation (GDPR). The GDPR comes from the evo- In May 2014, the Court of Justice of the European Union (CJEU) lution of the DPD interpretation in the light of technological issued a decision1 which has been regarded as the enforce- developments since its adoption in 1995.
    [Show full text]
  • 'The Right to Be Forgotten: More Than a Pandora's Box?'
    Rolf H. Weber The Right to Be Forgotten More Than a Pandora’s Box? by Rolf H. Weber,* Dr.; Chair Professor for International Business Law at the University of Zurich and Visiting Professor at the University of Hong Kong Abstract: Recently, political voices have ple of free speech. Therefore, its scope needs to be stressed the need to introduce a right to be forgot- evaluated in the light of appropriate data protection ten as new human right. Individuals should have the rules. Insofar, a more user-centered approach is to right to make potentially damaging information dis- be realized. “Delete” can not be a value as such, but appear after a certain time has elapsed. Such new must be balanced within a new legal framework. right, however, can come in conflict with the princi- Keywords: Data protection; delete; free speech; privacy; privacy enhancing technologies; user-centered ap- proach © 2011 Rolf. H. Weber Everybody may disseminate this article by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing Licence (DPPL). A copy of the license text may be obtained at http://nbn-resolving. de/urn:nbn:de:0009-dppl-v3-en8. Recommended citation: Rolf H. Weber, The Right to Be Forgotten: More Than a Pandora’s Box?, 2 (2011) JIPITEC 120, para. 1. A. Introduction specific “case” is described in Mayer-Schönberg- er’s book Delete: The Virtue of Forgetting in the Digital 4 1 In 2010 a first legislative project was developed in Age. Stacy Snyder, a 25-year-old former education France that envisaged
    [Show full text]
  • International Association of Jewish Genealogical Societies
    International Association of Jewish Genealogical Societies To: IAJGS Members-2018 Annual Session From: Jan Meisels Allen, Chairperson, IAJGS Public Records Access Monitoring Committee Re: Public Records Access Monitoring Committee-Annual Report Date: June 1, 2018 Committee Members 2017-2018 Jan Meisels Allen, Chairperson, Agoura Hills, California Bert Lazerow, San Diego, California Teven Laxer, Sacramento, California Mark Nicholls, Edgeware, Middlesex, London, UK Paul Silverstone, New York, New York Catherine Youngren, Coquitlam, British Columbia, Canada Ken Bravo, ex officio, President IAJGS, Cleveland, Ohio The Public Records Access Monitoring Committee (PRAMC) had a busy year monitoring and addressing issues affecting access to public records. The IAJGS PRAMC added a new committee member this year: Herbert “Bert” Lazerow who is a Professor of Law, University of San Diego and a member of the San Diego JGS. We are delighted to have Bert join us on the committee. He brings knowledge and expertise that greatly enhances the overall work of the committee. Access to vital records, census documents and other records is essential to the ability of genealogists to research family histories—whether as a business or a personal hobby. In some instances, PRAMC monitors legislation and regulations rather than taking action in order to assess whether action may become necessary. Information is posted on the IAJGS Records Access Alert as soon as it becomes available. JewishGen PRAMC is no longer permitted to post notices about pending matters on JewishGen as per the JewishGen Operations Committee rules, set three years ago, if the action is not a final adoption of a law, rule or court decision.
    [Show full text]
  • Right to Be Forgotten”: Remembering Freedom of Expression
    The “Right to be Forgotten”: Remembering Freedom of Expression 2016 Policy Brief Executive Summary ARTICLE 19 Free Word Centre In this policy brief, ARTICLE 19 provides comprehensive recommendations on how to 60 Farringdon Road ensure protection of the right to freedom of expression with regard to the so-called “right London to be forgotten.” EC1R 3GA United Kingdom The “right to be forgotten” usually refers to a remedy which in some circumstances enables T: +44 20 7324 2500 individuals to demand from search engines the de-listing of information about them which F: +44 20 7490 0566 appears following a search for their name. It can also refer to demands to websites’ hosts E: [email protected] to erase certain information. More broadly, it has been considered as a right of individuals W: www.article19.org "to determine for themselves when, how, and to what extent information about them is Tw: @article19org communicated to others”1 or as a right that gives the individual increased control over Fb: facebook.com/article19org information about them. It has been categorised as a privacy right even though it applies to information that is, at least to some degree, public. ISBN: 978-1-910793-33-6 © ARTICLE 19, 2015 The “right to be forgotten” is expressly recognised neither in international human rights instruments nor in national constitutions. Its scope remains largely undefined: it ranges from a This work is provided under the Creative Commons Attribution-Non-Commercial-ShareAlike 2.5 licence. more limited right protected by existing data protection law to broader notions encompassing You are free to copy, distribute and display this work and to make derivative works, except for the images the protection of reputation, honour and dignity.
    [Show full text]
  • The Right to Be Forgotten: a Step in the Right Direction for Cyberspace Law and Policy
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE Journal of Law, Technology & the Internet · Vol. 6 · 2015 provided by Case Western Reserve University School of Law THE RIGHT TO BE FORGOTTEN: A STEP IN THE RIGHT DIRECTION FOR CYBERSPACE LAW AND POLICY Lyndsay Cook I. BACKGROUND AND IMPLEMENTATION In 2010, a Spanish citizen filed a complaint against Google Spain and Google Inc., arguing that an auction notice of his repossessed home on Google’s search results violated his privacy rights because the repossession proceeding had been resolved long ago, and was no longer relevant.1 Believing that the outdated content was causing damage to his reputation, the citizen argued Google should be required to remove it so that it would no longer show up in a search of his name.2 The case was referred to a Court of Justice for the European Union (“EU”) who was asked to decide whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine (“the right to be forgotten”).3 In a landmark decision, the EU court held that Internet search engines must remove personal information associated with an individual when the information is “inaccurate, inadequate, irrelevant or excessive.”4 Simply put, the new “right to be forgotten” provides a remedy for individuals seeking to have harmful or embarrassing details about themselves removed from the Internet, when certain criteria are met. In practice, the right to be forgotten should function in a fairly straightforward manner.
    [Show full text]
  • The Right to Be Forgotten As a New Challenge of Human Rights
    The Right to be Forgotten As a New Challenge of Human Rights: Analysing its Functioning in the Personal Data Protection Zihan Yan E.MA MASTER’S DEGREE IN HUMAN RIGHTS AND DEMOCRATISATION Academic year 2012-2013 SUPERVISED BY KOEN LEMMENS Katholieke Universiteit Leuven Acknowledgement I would like to express my gratitude to my supervisor, Professor Koen Lemmens, who is Director of the E.MA programme for Katholieke Universiteit Leuven helped me carry out the research. I take immense pleasure in thanking Michaël Merrigan, teaching assistant at the KUleuven Institute for Human Rights and Critical Studies and the whole staff of Faculty of Law in KUleuven which hosted me during the second semester. Without their help this research would not have been possible. Finally, I wish to express thanks to the whole E.MA staff and masterini crew for the wonderful year together. Abstract: Rapid technological developments have brought new challenges for the protection of personal data. The right to be forgotten as an element of personal data protection has been debated hotly and controversially for the past few years, especially in Europe. The scale of data sharing and collecting has made personal information publicly and globally available, therefore it is necessary to provide a legal mechanism to persons to remove their personal data from online databases. This thesis seeks to address how important the right to be forgotten will be as a new human right to protect personal data information in the digital age. The right to be forgotten needs better definition to avoid negative consequences since it is not very clear yet.
    [Show full text]
  • The General Data Protection Regulation Long Awaited EU-Wide Data Protection Law Is Now Applicable GDPR | Introduction
    The General Data Protection Regulation Long awaited EU-wide data protection law is now applicable GDPR | Introduction Introduction May 25th... A defining day in Privacyland. As I write, the long-awaited introduction of the General Data Protection Regulation is upon us. And what a busy time the run-up to this day has been! My team has been supporting many, many organisations as they geared up their data policies and practices to comply with GDPR. From performing gap assessments and running transformation programmes to advising on governance issues. I am really proud of my team and what we have achieved together. Tried, tested and new Catching up A snapshot of organisations today would show varying In the past year, through articles, blogs and vlogs, our degrees of GDPR-readiness. Some are very well team has shared a vast amount of relevant information prepared, but there is room for surprises, as we do not with the public on privacy-related issues. We have now know how exactly GDPR will be enforced in practice. brought them together in this magazine, as an easy way Some organisations still have some ground to cover. for our clients to catch up. But developments do not And there are some still at the very start of their stop here, nor will we. I am really looking forward to the journey. Deloitte will continue to provide them all with next season in Privacyland! our tried and tested GDPR services. Annika Sponselee But we are now entering a new reality for organisations, with new needs. And Deloitte is ready to respond.
    [Show full text]
  • EDPB Guidelines 5/2019 on the Criteria of the Right to Be Forgotten
    Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) Version 2.0 Adopted on 7 July 2020 1 Adopted Version history Version 2.0 7 July 2020 Adoption of the Guidelines after public consultation Version 1.1 17 February 2020 Minor corrections Version 1.0 2 December 2019 Adoption of the Guidelines for public consultation 2 Adopted Table of contents Introduction............................................................................................................................................. 4 1 The grounds of the Right to request delisting under GDPR............................................................ 6 1.1 Ground 1: The Right to request delisting when the personal data are no longer necessary in relation to the search engine provider’s processing (Article 17.1.a) .................................................. 7 1.2 Ground 2: The Right to request delisting when the data subject withdraws consent where the legal basis for the processing is pursuant to Article 6.1.a or Article 9.2.a GDPR and where there is no other legal basis for the processing (Article 17.1.b) ................................................................... 7 1.3 Ground 3: The Right to request delisting when the data subject has exercised his or her Right to object to the processing of his or her personal data (Article 17.1.c) .................................... 8 1.4 Ground 4: The Right to request delisting when the personal data have been unlawfully processed (Article 17.1.d) ................................................................................................................... 9 1.5 Ground 5: The Right to request delisting when the personal data have to be erased for compliance with a legal obligation (Article 17.1.e)........................................................................... 10 1.6 Ground 6: The Right to request delisting when the personal data have been collected in relation to the offer of information society services (ISS) to a child (Article 17.1.f)........................
    [Show full text]
  • Internet Privacy and the Right to Be Forgotten/Right to Oblivion
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE providedUniversitat by Revistes ObertaCatalanes de ambCatalunya Accés Obert http://idp.uoc.edu Monograph «VII International Conference on Internet, Law & Politics. Net Neutrality and other challenges for the future of the Internet» ARTICLE Internet Privacy and the Right to Be Forgotten/Right to Oblivion Cécile de Terwangne Submitted: December 2011 Accepted: December 2011 Published: February 2012 Abstract The right to oblivion, equally called right to be forgotten, is the right for natural persons to have infor- mation about them deleted after a certain period of time. The Internet has brought with it a need for a new balance between the free dissemination of information and individual self-determination. This balance is precisely what is at stake with the right to oblivion. This right has three facets: the right to oblivion of the judicial past, the right to oblivion established by data protection legislation and a new, and still controversial, digital right to oblivion that amounts to personal data having an expiration date or being applicable in the specific context of social networks. This paper analyses each of these facets within the Internet environment. Keywords right to be forgotten, right to oblivion, privacy, data protection, right to object Topic IT law, data protection law Privacidad en Internet y el derecho a ser olvidado/derecho al olvido Resumen El derecho al olvido, también llamado derecho a ser olvidado, es el derecho de las personas físicas a hacer que se borre la información sobre ellas después de un período de tiempo determinado.
    [Show full text]
  • An American Right to Be Forgotten
    Tulsa Law Review Volume 52 Issue 2 Article 23 Winter 2017 An American Right to Be Forgotten John W. Dowdell Follow this and additional works at: https://digitalcommons.law.utulsa.edu/tlr Part of the Law Commons Recommended Citation John W. Dowdell, An American Right to Be Forgotten, 52 Tulsa L. Rev. 311 (2017). Available at: https://digitalcommons.law.utulsa.edu/tlr/vol52/iss2/23 This Casenote/Comment is brought to you for free and open access by TU Law Digital Commons. It has been accepted for inclusion in Tulsa Law Review by an authorized editor of TU Law Digital Commons. For more information, please contact [email protected]. Dowdell: An American Right to Be Forgotten AN AMERICAN RIGHT TO BE FORGOTTEN * John W. Dowdell I. INTRODUCTION In 1890, America’s “Father of Psychology,” William James, wrote that “[i]n the practical use of our intellect, forgetting is as important as recollecting.”1 That same year, eventual Supreme Court Justice Louis D. Brandeis and his Harvard Law classmate Samuel D. Warren co-authored The Right to Privacy.2 The stated purpose of the latter was “to consider whether the existing law afford[ed] a principle which [could] properly be invoked to protect the privacy of the individual; and, if it [did], what the nature and extent of such protection [was].”3 While the legal protection of individual privacy rights in the United States has progressed slowly through the common law in the century and a quarter since Brandeis and Warren first argued in its defense, the European Union (“E.U.”) has made considerable strides in the protection of its citi- zens’ privacy rights.4 As a result, citizens of all twenty-eight E.U.
    [Show full text]
  • The “Right to Be Forgotten” and Search Engine Liability
    BRUSSELS PRIVACY HUB WORKING PAPER VOL. 2 • N° 8 • DECEMBER 2016 THE “RIGHT TO BE FORGOTTEN” AND SEARCH ENGINE LIABILITY by Hiroshi Miyashita1 Abstract his paper aims to conduct a comparative study on the right to be forgotten by analyzing the different approaches on the intermediary liability. In the EU, Google Spain case in the Court of Justice clarified the liability of search engine on the ground of data controller’s respon- sibility to delist a certain search results in light of fundamental right of privacy and data protection. On the contrary, in the U.S., the search engine liability is broadly exempted under Tthe Communications Decency Act in terms of free speech doctrine. In Japan, the intermediary liability is not completely determined as the right to be forgotten cases are divided in the point of the search engine liability among judicial decisions. The legal framework of the intermediary liability varies in the context from privacy to e-commerce and intellectual property. In the wake of right to be forgotten case in the EU, it is important to streamline the different legal models on the intermediary liability if one desires to fix its reach of the effect on right to be forgotten. This paper analyzes that the models of the search engine liability are now flux across the borders, but should be compromised by way of the appropriate balance between privacy and free speech thorough the right to be forgotten cases. Keywords: Privacy, Data Protection, Right to be Forgotten, Search Engine, Intermediary Liability © BRUSSELS PRIVACY HUB q WORKING PAPER q VOL.
    [Show full text]
  • Down the Rabbit Hole: Applying a Right to Be Forgotten to Personal Images Uploaded on Social Networks
    Fordham Intellectual Property, Media and Entertainment Law Journal Volume 30 XXX Number 4 Article 2 2020 Down the Rabbit Hole: Applying a Right to Be Forgotten to Personal Images Uploaded on Social Networks Eugenia Georgiades Bond University, [email protected] Follow this and additional works at: https://ir.lawnet.fordham.edu/iplj Part of the Intellectual Property Law Commons, and the International Law Commons Recommended Citation Eugenia Georgiades, Down the Rabbit Hole: Applying a Right to Be Forgotten to Personal Images Uploaded on Social Networks, 30 Fordham Intell. Prop. Media & Ent. L.J. 1111 (2020). Available at: https://ir.lawnet.fordham.edu/iplj/vol30/iss4/2 This Article is brought to you for free and open access by FLASH: The Fordham Law Archive of Scholarship and History. It has been accepted for inclusion in Fordham Intellectual Property, Media and Entertainment Law Journal by an authorized editor of FLASH: The Fordham Law Archive of Scholarship and History. For more information, please contact [email protected]. Down the Rabbit Hole: Applying a Right to Be Forgotten to Personal Images Uploaded on Social Networks Cover Page Footnote Dr. Eugenia Georgiades, Assistant Professor Faculty of Law, Bond University. The author would like to thank Professor Brad Sherman, Associate Professor Leanne Wiseman, Associate Professor Jay Sanderson, and Dr. Allan Ardil for their feedback. This article is available in Fordham Intellectual Property, Media and Entertainment Law Journal: https://ir.lawnet.fordham.edu/iplj/vol30/iss4/2 Down the Rabbit Hole: Applying a Right to Be Forgotten to Personal Images Uploaded on Social Networks Eugenia Georgiades* The right to be forgotten has been the subject of extensive scrutiny in the broad context of data protection.
    [Show full text]